summaryrefslogtreecommitdiffstats
path: root/t/t7612-merge-verify-signatures.sh
blob: 61330f71b1749c92a79153a3fce4f1834bfed248 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/bin/sh

test_description='merge signature verification tests'
GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main
export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME

. ./test-lib.sh
. "$TEST_DIRECTORY/lib-gpg.sh"

test_expect_success GPG 'create signed commits' '
	echo 1 >file && git add file &&
	test_tick && git commit -m initial &&
	git tag initial &&

	git checkout -b side-signed &&
	echo 3 >elif && git add elif &&
	test_tick && git commit -S -m "signed on side" &&
	git checkout initial &&

	git checkout -b side-unsigned &&
	echo 3 >foo && git add foo &&
	test_tick && git commit -m "unsigned on side" &&
	git checkout initial &&

	git checkout -b side-bad &&
	echo 3 >bar && git add bar &&
	test_tick && git commit -S -m "bad on side" &&
	git cat-file commit side-bad >raw &&
	sed -e "s/^bad/forged bad/" raw >forged &&
	git hash-object -w -t commit forged >forged.commit &&
	git checkout initial &&

	git checkout -b side-untrusted &&
	echo 3 >baz && git add baz &&
	test_tick && git commit -SB7227189 -m "untrusted on side" &&

	git checkout main
'

test_expect_success GPG 'merge unsigned commit with verification' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_must_fail git merge --ff-only --verify-signatures side-unsigned 2>mergeerror &&
	test_i18ngrep "does not have a GPG signature" mergeerror
'

test_expect_success GPG 'merge unsigned commit with merge.verifySignatures=true' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	test_must_fail git merge --ff-only side-unsigned 2>mergeerror &&
	test_i18ngrep "does not have a GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with bad signature with verification' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_must_fail git merge --ff-only --verify-signatures $(cat forged.commit) 2>mergeerror &&
	test_i18ngrep "has a bad GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	test_must_fail git merge --ff-only $(cat forged.commit) 2>mergeerror &&
	test_i18ngrep "has a bad GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with untrusted signature with verification' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror &&
	test_i18ngrep "has an untrusted GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with untrusted signature with verification and high minTrustLevel' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config gpg.minTrustLevel marginal &&
	test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror &&
	test_i18ngrep "has an untrusted GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with untrusted signature with verification and low minTrustLevel' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config gpg.minTrustLevel undefined &&
	git merge --ff-only --verify-signatures side-untrusted >mergeoutput &&
	test_i18ngrep "has a good GPG signature" mergeoutput
'

test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	test_must_fail git merge --ff-only side-untrusted 2>mergeerror &&
	test_i18ngrep "has an untrusted GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true and minTrustLevel' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	test_config gpg.minTrustLevel marginal &&
	test_must_fail git merge --ff-only side-untrusted 2>mergeerror &&
	test_i18ngrep "has an untrusted GPG signature" mergeerror
'

test_expect_success GPG 'merge signed commit with verification' '
	test_when_finished "git reset --hard && git checkout initial" &&
	git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput &&
	test_i18ngrep "has a good GPG signature" mergeoutput
'

test_expect_success GPG 'merge signed commit with merge.verifySignatures=true' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	git merge --verbose --ff-only side-signed >mergeoutput &&
	test_i18ngrep "has a good GPG signature" mergeoutput
'

test_expect_success GPG 'merge commit with bad signature without verification' '
	test_when_finished "git reset --hard && git checkout initial" &&
	git merge $(cat forged.commit)
'

test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=false' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures false &&
	git merge $(cat forged.commit)
'

test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true and --no-verify-signatures' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	git merge --no-verify-signatures $(cat forged.commit)
'

test_expect_success GPG 'merge unsigned commit into unborn branch' '
	test_when_finished "git checkout initial" &&
	git checkout --orphan unborn &&
	test_must_fail git merge --verify-signatures side-unsigned 2>mergeerror &&
	test_i18ngrep "does not have a GPG signature" mergeerror
'

test_done